Hi all, I've scanned the Alexa top 1 million again. Since we've had Heartbleed in between this and previous scan, the differences are visible. Key points: * percent of RC4 only servers is falling (is 1.38%, was 1.77%) * percent of sites that prefer RC4 has fallen by small amount (is 18.7%, was 19.5%)... * ...but percent of sites that use RC4 in TLS1.1+ has grown (is 11.78%, was 10.4%) * percent of certificates signed with SHA256 has grown significantly (is 10%, was 5.2%) * emergence of first sites that use only certificates signed with ECDSA * number of sites supporting TLS1.2 continues to grow (is 54%, was 47%) SSL/TLS survey of 318366 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers Count Percent -------------------------+---------+------- 3DES 276767 86.9336 3DES Only 138 0.0433 AES 296231 93.0473 AES Only 931 0.2924 AES-CBC Only 589 0.185 AES-GCM 121700 38.2264 AES-GCM Only 4 0.0013 CAMELLIA 127348 40.0005 CAMELLIA Only 1 0.0003 CHACHA20 19834 6.2299 RC4 283666 89.1006 RC4 Only 4401 1.3824 RC4 Preferred 59422 18.6647 RC4 forced in TLS1.1+ 37507 11.7811 z:ADH-DES-CBC-SHA 1031 0.3238 z:ADH-SEED-SHA 863 0.2711 z:AECDH-NULL-SHA 9 0.0028 z:DES-CBC-MD5 254 0.0798 z:DES-CBC-SHA 60478 18.9964 z:DHE-RSA-SEED-SHA 51890 16.2989 z:ECDHE-RSA-NULL-SHA 7 0.0022 z:EDH-RSA-DES-CBC-SHA 49291 15.4825 z:EXP-ADH-DES-CBC-SHA 625 0.1963 z:EXP-DES-CBC-SHA 49466 15.5375 z:EXP-EDH-RSA-DES-CBC-SHA 35342 11.1011 z:EXP-RC2-CBC-MD5 46932 14.7415 z:IDEA-CBC-MD5 27 0.0085 z:IDEA-CBC-SHA 51847 16.2853 z:NULL-MD5 319 0.1002 z:NULL-SHA 313 0.0983 z:NULL-SHA256 10 0.0031 z:RC2-CBC-MD5 281 0.0883 z:SEED-SHA 65444 20.5562 Supported Handshakes Count Percent -------------------------+---------+------- DHE 153909 48.3434 ECDHE 134412 42.2193 Supported PFS Count Percent PFS Percent -------------------------+---------+--------+----------- DH,1024bits 145147 45.5912 94.307 DH,2048bits 7568 2.3771 4.9172 DH,3072bits 2 0.0006 0.0013 DH,3248bits 2 0.0006 0.0013 DH,4096bits 428 0.1344 0.2781 DH,4097bits 2 0.0006 0.0013 DH,512bits 92 0.0289 0.0598 DH,768bits 673 0.2114 0.4373 ECDH,B-163,163bits 1 0.0003 0.0007 ECDH,B-571,570bits 294 0.0923 0.2187 ECDH,P-224,224bits 3 0.0009 0.0022 ECDH,P-256,256bits 133565 41.9533 99.3698 ECDH,P-384,384bits 165 0.0518 0.1228 ECDH,P-521,521bits 450 0.1413 0.3348 Prefer DH,1024bits 98851 31.0495 64.2269 Prefer DH,2048bits 2143 0.6731 1.3924 Prefer DH,4096bits 34 0.0107 0.0221 Prefer DH,512bits 1 0.0003 0.0006 Prefer DH,768bits 74 0.0232 0.0481 Prefer ECDH,B-163,163bits 1 0.0003 0.0007 Prefer ECDH,B-571,570bits 236 0.0741 0.1756 Prefer ECDH,P-256,256bits 94746 29.7601 70.4892 Prefer ECDH,P-384,384bits 115 0.0361 0.0856 Prefer ECDH,P-521,521bits 409 0.1285 0.3043 Prefer PFS 196610 61.756 0 Support PFS 245327 77.0582 0 Certificate sig alg Count Percent -------------------------+---------+-------- None 9994 3.1392 ecdsa-with-SHA256 2 0.0006 sha1WithRSAEncryption 286277 89.9207 sha256WithRSAEncryption 32146 10.0972 Certificate key size Count Percent -------------------------+---------+-------- ECDSA 384 2 0.0006 RSA 1024 1935 0.6078 RSA 2028 1 0.0003 RSA 2047 2 0.0006 RSA 2048 304898 95.7696 RSA 2049 2 0.0006 RSA 2056 3 0.0009 RSA 2058 1 0.0003 RSA 2060 1 0.0003 RSA 2064 1 0.0003 RSA 2080 3 0.0009 RSA 2084 4 0.0013 RSA 2345 1 0.0003 RSA 2408 1 0.0003 RSA 2432 60 0.0188 RSA 2536 1 0.0003 RSA 2612 1 0.0003 RSA 3000 1 0.0003 RSA 3050 1 0.0003 RSA 3072 19 0.006 RSA 3248 3 0.0009 RSA 3600 1 0.0003 RSA 4042 1 0.0003 RSA 4046 1 0.0003 RSA 4048 1 0.0003 RSA 4069 1 0.0003 RSA 4086 1 0.0003 RSA 4092 2 0.0006 RSA 4096 11427 3.5893 RSA 4098 1 0.0003 RSA 4192 2 0.0006 RSA 8192 3 0.0009 RSA/ECDSA Dual Stack 0 0.0 Supported Protocols Count Percent -------------------------+---------+------- SSL2 621 0.1951 SSL2 Only 73 0.0229 SSL3 314763 98.8683 SSL3 Only 3524 1.1069 SSL3 or TLS1 Only 140708 44.1969 TLS1 314191 98.6886 TLS1 Only 1117 0.3509 TLS1.1 164225 51.5837 TLS1.1 Only 8 0.0025 TLS1.1 or up Only 68 0.0214 TLS1.2 173049 54.3554 TLS1.2 Only 48 0.0151 TLS1.2, 1.0 but not 1.1 12720 3.9954 Scan performed between 7th and 15th of May 2014, full results available upon request - 45MiB xz tarball. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
